Forum Discussion

9 Replies

  • Jesse,

     

     

    The way I've found to do it (not my favorite) is to create a second HTTPclass that matches the specific url, and generate the second policy for it, with the signatures I want disabled turned off.

     

     

    As for doing it within the same policy, I don't think there is a way, at least not in version 10. It might be something good to send to who ever your sales contact is as a request for enhancement.

     

     

    Anyone found another way/better way to do it?

     

     

    ->josh
  • What type of attack sigs do you want to disable? Once you define the specific URL in the policy, you shouldn't have any URL attack signatures applied to the URL as it's been explicitly defined.

     

     

    You can disable attack sigs on a specific URL's parameters by defining the URL, creating a * wildcard parameter on that URL and unchecking 'Check attack signatures on this parameter'.

     

     

    Aaron
  • Posted By hoolio on 12/27/2011 03:29 PM

     

    What type of attack sigs do you want to disable? Once you define the specific URL in the policy, you shouldn't have any URL attack signatures applied to the URL as it's been explicitly defined.

     

     

    You can disable attack sigs on a specific URL's parameters by defining the URL, creating a * wildcard parameter on that URL and unchecking 'Check attack signatures on this parameter'.

     

     

    Aaron

     

    Thanks to both of you for the reply's.

     

     

    I have disabled some attack signatures on the parameters as you described, and that seems to work well if there is a parameter to deal with. But what if there is not specific paramater?

     

     

     

    For example, I've got some blocking from Signature ID 200002279 - SQL-INJ "delete from" (Headers). In this example, it isn't a parameter that is being enter that is causing the issue. How would I disable that signature on a specific url?

     

  • Hi Jesse,

     

     

    As Josh said, I don't think you can disable a header based attack signature for a specific URL. Here are a few options:

     

     

    - open an RFE with F5 Support to request this functionality. This might be a good idea regardless of which option you select.

     

    - disable the specific attack signature globally. This is the simplest option, but lowers the security of your policy somewhat.

     

    - create a separate policy for the specific URL which is a copy of the original policy with the specific attack signature disabled. The downside to this is that you would need to manually maintain two policies.

     

    - put the specific signature(s) in a separate attack signature set and put that signature set in transparent mode. Use an iRule to manually block any requests which trigger that attack sig which is not on the specific URL. I think this might be the closest way to do what you want. You'd basically create an iRule which checks the ASM::violation_data output in the ASM_REQUEST_VIOLATION event. See the wiki pages for details: http://devcentral.f5.com/wiki/iRules.asm.ashx

     

     

    Aaron
  • Aaron,

     

     

    Thank for your response, its been very helpful. At least it gives me some options.
  • Hi Experts,

     

     

    I am just trying something like this:

     

     

    when ASM_REQUEST_VIOLATION

     

    {

     

    set x [ASM::violation_data]

     

     

    for {set i 0} { $i < 7 } {incr i} {

     

    switch $i {

     

    0 { log local0. "violation=[lindex $x $i]" }

     

    1 { log local0. "support_id=[lindex $x $i]" }

     

    2 { log local0. "web_application=[lindex $x $i]" }

     

    3 { log local0. "severity=[lindex $x $i]" }

     

    4 { log local0. "source_ip=[lindex $x $i]" }

     

    5 { log local0. "attack_type=[lindex $x $i]" }

     

    6 { log local0. "request_status=[lindex $x $i]" }

     

     

    }}

     

     

    if {([lindex $x 0] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED" and [lindex $x 5] contains "ATTACK_TYPE_CROSS_SITE_SCRIPTING" )

     

    and ([HTTP::uri] contains "/x/y/z.js")

     

    }

     

    HTTP::respond 200 content {

     

     

     

    Block Page

     

     

     

    Your Requested has been blocked please contact your systems adminstrator

     

    Your support ID is: <%TS.request.ID()%>

     

     

     

    }

     

    else {

     

    return

     

    }

     

     

    }

     

     

    for strange reasons it's just not triggering, am i making any obvious mistake here ?

     

     

    Cheers

     

    Jani
  • oops, found it, had to enable ASM irule events in asm policy
  • Looks like this irule is working till allowing what i need to, however i am still stuck with logic in else statement, how do i make sure user gets to requested uri, any pointers ?
  • Hi Prashant,

     

     

    Can you post the debug logging from /var/log/ltm for a request that fails?

     

     

    Thanks, Aaron